As you are maybe aware, Grsecurity will stop publishing its stable kernel patches to the public:

Quote:

Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model.

Read with Chrome - it will auto-translate for you.
It specifically says thatGentoo Hardened will not be affected, because it uses the development branch. It's that stable branch that's being removed.

well this is actually not true as it does affect gentoo because there won't be any long term hardened kernel like we had with 3.14.51 and 3.2.71 that are still in portage tree...
thus gentoo users can still play with the latest and hottest hardened kernel but if they want stable servers they'll need to patch their stable kernel theirself...
not a big deal if kernel patches would always cleanly apply to hardened sources...

This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations.

This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations.

Money is only the initial gating factor. According to the commentary elsewhere, their terms currently provide that public redistribution would cancel the contract that gives access to the updates. Unless they grant some sort of exemption, which seems very unlikely, the patches are now effectively restricted to companies that voluntarily refrain from redistribution.

I don't believe gresec will survive with the New Modell much longer. Of course they are in a better position to jude that than I and obviously they disagree... But lets see.

Keep in Kind that there is a forth method to geht the src, one very hard for their customer to control:
Buy one product using the patches and force the vendor to give you the src and then redistrubute it. So any potential customer oft theirs must be very careful where they deploy the gresec patches, to make sure nothing can be bought by anyone who may ask for the src and may even be entitled for updates...
I suspect that makes it much less atractive to buy the subsription from them. They must know that and have a plan. Will be interesting what...

As for today I just hope we can somehow find a way to at least maintain the current features and port them to newer kernels. But without a open community taking ober the baton some very nice security system will die.

Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.

The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run._________________Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.

The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run.

Really what does 'upstream the existing gresec patch set' entail? Politics aside, it would be pretty much what the Gentoo team does every time they merge the patch set with a new kernel right?

I'm not sure what the reasoning has been to not merge those patches as soon as they became available. It would be interesting to see what the main kernel devs have discussed with respect to that. I haven't seen anything negative about the patches with respect to quality or security of the code.

Realistically speaking, accepting the patches into the kernel as they had been open sourced would have saved untold hours of work for both the grsecurity team and for every distro offering a hardened kernel. Frankly if I were on the grsecurity team I would be a little bent that nobody 'upstream' bothered to do this.

I don't have the links currently, but: It was already suggested upstream (not by the grsecurity team); Linus had commented on it and required some changes, rejected some others; grsecurity declared that they did not submit these patches and are not interested in including anything upstream.
It seems to me that the grsecurity team (or at least some persons from it) want this redundant work, because this is how they make their living.

an intersting read that puts some light about the whole issue...
this is confirming my fears about linux going more and more mainstream: funds and credits going the wrong way, doubtful useful software being pushed down the throat by almost all distros (systemd), caring less and less about security,...
maybe i should seriously consider openbsd for my next customer's servers

The consensus seems to be that Open Source Security (the company behind grsecurity) can use those terms in their contract but that also makes it infeasible for companies to use the grsecurity patches in user products. That's a pretty big limitation on the usefulness of grsecurity.